Doo, Doo, Doo, Lookin’ Out Information Security’s Back Door

Quick — what do recent news headlines about elephants, Hillary Clinton’s private email server, and national policy battles between the technology industry (Apple, Google, and dozens of others) and the U.S. Government (the FBI and President Obama) have in common?

Strange as it sounds, all three have to do with security back doors – i.e., the means by which normal security measures can be bypassed. Even stranger, all three were mentioned in the same day in my small hometown newspaper. Here’s some additional information about each one.

Elephants (For free!)

Benson’s Wild Animal Farm in Hudson, New Hampshire is the one-time home of Colossus the Gorilla (who was once on the ticket in the first-in-the-nation presidential primary), as well as the Lucky Elephant (who until April 2015 enjoyed a second career at Tufts University, as the embodiment of school mascot Jumbo the Elephant). Here, the combination to the locked gate was changed for the first time since 2010, “after the committee that oversees the facility reported too many people know the code and were abusing the free access.” That’s right — the good people of Hudson, New Hampshire were sharing the access code, and driving into the park without paying the entrance fee.

Hillary’s “Private” Email Servers — Not So Private, After All

Hillary Clinton’s private email servers, running in the basement of her home in Chappaqua, New York during the time she was Secretary of State, were set up to allow them to be accessed remotely by the firm she hired to administer them. It’s easy to understand why she would want this – after all, she doesn’t want her outsourced IT guys physically coming in and out of her basement – but it’s also easy to understand that any time you open up a way for a “good guy” to have access, you’re opening up a way for the bad guys, too.

To make matters worse, it seems like the good guys set it up with a weak / vulnerable configuration. (Full disclosure: the remote access protocol used to access Hillary’s private email server, called Virtual Network Computing (VNC), is exactly the same technology that outsourced IT Help Desk providers routinely use to support their enterprise customers – including Aberdeen Group.)

The United States v. the High-Tech Industry

Back in May 2015, Apple, Google, Facebook, and dozens of other high-tech companies, civil organizations, and security and policies experts sent an open letter to President Obama, urging the administration “to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.”

See some of Derek Brink’s latest research on data breaches and security controls:

In mid-October, Apple announced an updated privacy policy, which also explained that starting with devices running iOS 8, the personal data of users is protected by an encryption key tied to each user’s respective passcode, which Apple does not possess. What this means is that the Government can make all the lawful requests it likes of Apple to turn over its customers’ data – but Apple doesn’t have access to that data.

The Government is not happy about this, as FBI Director James B. Comey’s statement before the Senate committee on Homeland Security and Governmental Affairs makes clear: “The United States Government is actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services. However, the administration is not seeking legislation at this time.”

Essentially, the FBI still covets a back door to commercial encryption solutions – in a battle that the industry thought it had already won at the turn of the millennium, as I noted in my blog called RSA and NSA: Say It Isn’t So, Joe. We can expect increased pressure for governments to have a back door for encrypted communications, in the wake of the terrorist attacks in Paris on November 13, 2015. In my own view, the technology industry has it right.

Back Doors in Information Security: Pertinent to the Business

It’s easy to assume that issues related to back doors in information security don’t apply to us – but in fact, there’s an extremely high likelihood that they do! For example, in my research report called Shhhh … It’s SSH: The Keys to the Enterprise, Left Under the Doormat, I pointed out that Secure Shell (SSH) is one of those workhorse technologies that isn’t necessarily on the radar, until suddenly you become aware of just how widely it is used.

For more than 20 years now, SSH has been used to remotely log in to systems, execute commands, transfer files, and establish a protected communications tunnel for other services. Today, SSH is widely used – in almost every enterprise – to provide highly privileged access to high-value enterprise resources in the data center and in the cloud. As the report describes, it’s widely used, but very poorly managed.

Most recently, I’ve published a new research report called How Managing Privileged Access Reduces the Risk of a Data Breach, in which my analysis of current enterprise practices in managing privileged access showed that the window of vulnerability is virtually always left wide open. About 90% of confirmed data breaches involve the compromise and / or misuse of privileged access, and the median total time-to-breach is about 48 days – but a median of 58% of privileged accounts have not changed the credentials for privileged accounts in 90 days or more! This analysis also made it clear why proactively managing privileged access has such a large and positive effect on preventing data breaches from occurring in the first place, reducing the associated risk of a data breach by 75% to 80%.

In other words: this stuff is not only interesting for security teams, but also extremely meaningful for the business! Although a certain song by Credence Clearwater Revival obviously inspired me for the title of this blog, there’s another line (“Bother me tomorrow, today I’ll buy no sorrows”) for which I’d advise exactly the opposite – we need to pay attention to our information security back doors, today.